-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating cicd #169
Updating cicd #169
Conversation
Co-authored-by: Ivan Fernandez Calvo <kuisathaverat@users.noreply.github.com>
@elastic/ci-robots Could you review this one? |
There are a lot of files in this PR that are specific to this repo's custom functionality, except for the |
# Conflicts: # .github/workflows/release.yml
.buildkite/release.yml
Outdated
- uses: elastic/apm-pipeline-library/.github/actions/github-token@current | ||
with: | ||
url: ${{ secrets.VAULT_ADDR }} | ||
roleId: ${{ secrets.VAULT_ROLE_ID }} | ||
secretId: ${{ secrets.VAULT_SECRET_ID }} | ||
- uses: elastic/apm-pipeline-library/.github/actions/setup-git@current | ||
with: | ||
username: ${{ env.GIT_USER }} | ||
email: ${{ env.GIT_EMAIL }} | ||
token: ${{ env.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry if I created any confusion.
However, this is GH workflow syntax. This won't work in a buildkite pipeline.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is example on how secrets are currently acquired from vault.
apm-agent-android/.ci/release.sh
Line 62 in b425386
PLUGIN_PORTAL_KEY=$(vault read secret/release/gradle-plugin-portal -format=json | jq -r .data.key) |
You would need to get the token in the same manner.
Unfortunately, I don't know if there is a token for apmmachine stored in the ci vault.
@elastic/observablt-ci anyone of you knows how to get the secret for apmmachine
in buildkite?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh! I see, tbh I thought it seemed too easy to be true 😅 - I've been mostly looking at how this has been done in the Java Agent repo. And after a closer look, it seems like the code change pushed into main is done outside of Buildkite, so I'm thinking that maybe that can be done here as well, in case getting this token inside Buildkite might not be worth the trouble... So I'll take a look at that alternative in the meantime, cheers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@elastic/observablt-ci anyone of you knows how to get the secret for
apmmachine
in buildkite?
Buildkite can retrieve secrets from another vault.
I will send the documentation by DM since it's internal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just moved the post-deploy command to the GH release.yml file here alongside the GIT auth set up as well, I think it should work. Any thoughts @reakaleek @amannocci ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a new GH action job that should run after the release has been successful. In this new job we should do the version bump and changelog update and it should all get pushed straight into the main
branch. I think it should work the way I wrote it, if there are any issues please let me know @amannocci @reakaleek - Otherwise I'm planning to merge this by the end of this week and apply future adjustments if needed since this PR has been open for too long now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you need to set waitFor
to true
waitFor: false |
so this works as expected
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another thing I noticed:
pushing to protected branches does not work out of the box in github actions.
You need to use a GH Personal Access Token that has elevated permissions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can find an example job here with the necessary setup to do pushing to a protected branch:
https://github.com/elastic/apm-agent-java/blob/main/.github/workflows/release.yml#L128-L151
Also, we need to add @apmmachine as a collaborator with a role that is able to bypass branch protection.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many thanks @reakaleek - I've just updated the job based on your suggestions. I hope it's better now. I'm not sure if @apmmachine already has that ability in this repo, although if that's not the case I'd request for it later.
# Conflicts: # agp-compatibility/agp-compatibility-7-2/metadata/notice.properties # agp-compatibility/agp-compatibility-7-3/metadata/notice.properties # agp-compatibility/agp-compatibility-api/metadata/notice.properties # android-common/metadata/notice.properties # android-instrumentation/metadata/notice.properties # android-plugin/metadata/notice.properties # android-sdk-ktx/metadata/notice.properties # android-sdk/metadata/notice.properties
…ne to push changes straight into the main branch
.github/workflows/release.yml
Outdated
token: ${{ env.GITHUB_TOKEN }} | ||
- uses: actions/checkout@v3 | ||
with: | ||
ref: ${{ env.TAG_NAME }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this is a copy paste error. I think this should be something different.
maybe inputs.branch_specifier
or just hardcoded main
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't notice, thanks for the heads-up! It should be fine now.
No description provided.